cahwyguy | Entries tagged with security

I’ve been reading a lot today about the Equifax compromise, where, you, the person whose data Equifax collected, were caught with your pants down because — although you buckled the belt as you should — the manufacturer forgot to secure the buckle to belt. When you bent over to pick up that hot dog that landed on the floor — whoops, your privates, and those of 143 Million other Equifax individuals about which Equifax had data (about 44%) were put out there for all the world to see, to point at, and to laugh.

Don’t you feel embarrassed? Don’t you feel like you should lock yourself up in a dark room and hide forever?

You don’t need to. Equifax has provided a complicated checking procedure and registration approach that, ultimately, puts you in a queue for a paid year of credit monitoring, while you give up your rights to arbitration and class actions suits¹. Doesn’t that make you feel better? Oh, and that credit monitoring. I think you still need to give a credit card, so they can start billing you after the free year is over.² Still feel better? Remember, this is monitoring — it doesn’t stop anything and lets you know after the information is used. Of course, you can have confidence in Equifax that they will protect you after the breech, given how they have handled it. [ETA: Oh, and Equifax was sending people to a fake phishing site.]

¹: [Update: They later clarified this wasn’t the case, although initial language made it appear to be the case. Translation: Sloppy response to the situation; poor contingency planning.]
²: [Update: They since removed the requirement for a credit card; it was there when this article was written]

Of course, there are security folks proposing other solutions. Some suggest the easy solution of just giving everyone new, more secure, social security numbers. Alternatively, we could start using our RealID Drivers License, and have one national identity number.

More sane folks are recommending a two pronged approach that doesn’t requiring using Equifax’s protection: the most common approach is suggesting a fraud alert on your records, and paying to have a freeze to prevent new accounts. All good ideas.

As for me, I’m going to wait and see. With 143 Million pieces of data, their odds of picking me are, well, 1 in 143 million. That’s pretty small. Plus the information has been out there for months — and with information like this, you have to use it quickly or it loses its value. Have we seen an uptick in identity theft? I haven’t heard of anything. I strongly suspect that this was a nation state, just like the OPM breach, and only select data will be used, for sophisticated spear phishing attacks. After all, why do they need to do the fraud when they can get you to unlock the door? Further, this isn’t the only attack: you’ve likely already had your information released (see this site).

Oh, and before you get scared about using the Internet, think about this: You don’t have to be an Internet user to have your information in the Equifax data. You just have to have had credit as some point in your life. The fault was with Equifax, the company you trusted to protect your data. Oh, that’s right. You didn’t choose Equifax. The fault was with Equifax, the company other companies trusted to give them accurate credit data. Equifax didn’t care about you or your credit. And neither did that little minx, Wendy*.

It is not in Equifax’s business model to protect your data: well, they’ll protect it only until they can sell it to the highest bidder. Remember the adage: If you get the service for free, you’re not the customer, you’re the product. [Translation: Equifax and other credit reporters make money by selling your data. Until their customers — the financial organizations that buy their data — demand accurate information, nothing will change. They won’t demand as long as it doesn’t cost them. They don’t pay the cost of the identity theft — you do.]

Feel better now? If not, wait I bit. I’ll be posting something this evening that will make you feel much better, even if your pants are down.

P.S.: Speaking about phishing, my favorite theatre about spam is having performances on 9/10 and 9/17. Go see it. It had Gene Spafford rolling in the aisles.

*[Paraphrasing my favorite Alton Brown quote, long since removed from his website:]

Here’s what it comes down to kids. Equifax doesn’t give a damn about you. Neither does that little minx Rachel from Card Services or any of the other icons of finance. And you know what, they’re not supposed to. They’re businesses doing what businesses do. They don’t love you. They are not going to laugh with you on your birthdays, or hold you when you’re sick and sad. They won’t be with you when you graduate, when your children are born or when you die. You will be with you and your family and friends will be with you. And, if you’re any kind of human being, you will be there for them. And you know what, you and your family and friends are supposed to watch out for you too. That’s right folks, protecting someone else’s information is an act of caring. We will always be protected best by those that care, be it ourselves or the aforementioned friends and family.

We are having our information exposed and exploited and exploited again because we have handed a basic, fundamental and intimate function of life over to corporations. We choose to value our information so little that we entrust it to strangers. We hand our lives over to big companies and then drag them to court when the deal goes bad. This is insanity.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

===> Click Here To Comment <==
(Click Here to Comment)

Over the last few days, my newsfeed has been filled with people gloating over the fact that the fellow who came up with that original guidance — make complex passwords and change them often — admitted he was wrong. But, if course, as with most people, they are misinterpreting things. Here are some key takeaways:

Complex passwords are still critical, but the answer is not an unpronouncable mix of letters and characters — because you can’t remember that. You can get equal or stronger passwords by choosing random words from the dictionary (passphrases) because although the “string” is shorter, the alphabet is larger. Math is math.
Frequent changing of passwords defeats the strength not because frequent changing is bad, but because human nature is. If you change things frequently, you’ll go to patterns that make things easier to remember — and to break.

In reality, the best solution is still a high-quality Password Manager, with a strong master password. In the password manager, you can create strong passwords for all your sites — unique for each site — and not have to remember them. This is something recommend (and not using my Facebook authentication for everything, which is not only weak but gives FB far too much information). I’ve recommended Lastpass for a long time for this purpose. It can keep track not only of passwords, but all that information you fill into forms — such as credit card info — so that you are storing it in your encrypted password vault, not on another machine where you depend on their encryption.

Recently, Lastpass changed their charging model: they upped the price (without notice) of Lastpass Premium from $12 to $24 a year. Everyone was up in arms! Heaven forfend! Doubling the price! (Never mind the fact that we’re talking $1 a month, which is noise, but hey, it’s the percentage!). It’s a concern for me: we have three Lastpass Premium accounts. However, I plan to move to the Family pricing model (which is worth it for 2 or more family members); hopefully, Lastpass will provide a way to consolidate existing Premium accounts into a single Family account with prorata balances applying towards the fee.

In the larger world, NIST is simplifying their password recommendations. The folks at Lastpass believe that will make things easier, but I believe that the fundamentals still remain: pick a unique password for each site, make it suitably complex, ideally gaining complexity through words vs. characters. How to do that? Use the password generator in your password manager, use the nonsense word generator, or use the XKCD Password Generator, XKPasswd.

===> Click Here To Comment <==
(Click Here to Comment)

This is a companion lunchtime post to my previous one. Whereas that post focused on government-related areas, this posts shares some cybersecurity items of broader interest:

Two Factor Authentication. The Verge has an interesting opinion piece on why two-factor authentication has failed us. We have a mix of approaches, some still depending on SMS even though there are significant weaknesses there. As they say: “Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.”
Backup Software. One of the best solutions for security — and a key protection against ransomware — is having backups. But Windows backup software is often hit or miss. Here’s a good review of various packages from PC World. I’ve been using an older version of their top-rated software for a few years now: I’m on Acronis True Image 2015. It backs up to the cloud without a subscription. Their newer stuff seems to have some different models, and I haven’t decided (a) if I want to upgrade, and (b) if I want to go with their subscription approach. I’ll also note that I’ve used the Paragon backup (an older version). What I didn’t like was that it grabbed every partition on the system, and did really bad space management such that your backups would fill a drive.
Family Passwords. This week, Lastpass announced a new service: A family password manager. As they write: “Enter LastPass Families, where you can store everything from bank accounts to passports to credit cards. Your details are secure, organized the way you want, and easily shared with your spouse, kids, in-laws, and more. You can even give access to others in the event of an emergency. The family manager can quickly add and remove members to the account, making it easy to get everyone up and running.” I still need to figure out if this service (or how this service) is an improvement over multiple Lastpass accounts. They also indicate that there is a fee for the service beyond Lastpass Premium, but if I have multiple family members with LP Premium, can things somehow be combined into one account that takes into account what has been paid. Perhaps they’ll answer this post.
Alice and Bob. I’ve always joked that when I hear the names Alice and Bob, my eyes glaze over for the crypto discussion that follows. But why Alice and Bob? What is their history? This article answers that question. It details the major events in the “lives” of Alice and Bob, from their birth in 1978 onwards.
Erasing Data. Here’s a pretty good summary of how to erase data from both magnetic and solid state drives. File it away; it may prove useful.

===> Click Here To Comment <==
(Click Here to Comment)

Over the past few weeks, I’ve collected a number of articles related to, shall we say, work-related topics. Here is where I share them with you, while enjoying my lunch:

Headline: “Air Force operationalizes new cybersecurity plans“. This is a real interesting article detailing some of the changes being made in the Air Force to improve their cybersecurity stance. For those with an interest in cybersecurity and resilience, it is a move in the right direction.
Headline: “There may soon be a new US military service — for space“. There’s one problem with the US Air Force. There’s no air in space. This article is about a potential separation between the Air Force side and the “Space Force”, with a notion that the Space Force would be like the Marines: part of, but yet separate from, the Air Force. It will be interesting to see how this pans out.
Headline: “Malware protection for air-gapped systems“. One of the ways we supposedly protect system is through air gaps — that is, no actual network connections. Yet as we saw with Stuxnet, such gaps don’t always work. This explores the way one vendor is addressing protection for such systems.
Headline: “U.S. to create the independent U.S. Cyber Command, split off from NSA“. The Department of Defense has many broad commands, most representing geographic areas (think Atlantic Command, Pacific Command, etc.) or broad functional areas (Strategic Command). One recent command created was Cyber Command, but it was part of and colocated with NSA. This article, as well as this one, discuss the potential separation of the two. This would permit Cyber Command to focus on cyber-related defense activities (and possibly offense), and NSA to focus on its intelligence role. What they don’t discussion is the disposition of the unclassified side of NSA — what was once the National Computer Security Center, and now would include things like the Common Criteria folk. My guess is that the separation is easier in theory than practice.

===> Click Here To Comment <==
(Click Here to Comment)

Here are some technology news chum items that have caught my eye of late:

Acronis Backup / True Image. Finding a good backup program is hard. I know. I looked for a long time, finally setting on the Acronis product. So when I saw this article about the incorporation of blockchain verification and ransomware production in the latest version, I was intrigued. Then I received an email about a 50% off sale until July 20. But then I looked at the webpage. The 50% off sale applied only to the standalone product, which doesn’t backup to the cloud, nor incorporate the ransomware protection. For those features, I’d have to go to the yearly subscription based version. Given that Acronis 2015 is working, plus I already pay Acronis for cloud storage which the backup can save to, I’m not sure I’ll upgrade. Yet. Maybe when I go to Windows 10. Eventually. But YMMV.
Authentication and Passwords. A number of items here. First, here’s a good reference on how to set up two-factor authentication on your accounts. It’s a good thing to do, whether that second factor is a text to your phone, Google Authenticator, LastPass Authentication, or something else you have. If you must use passwords, I always recommend a password manager, for it simplifies having complex, unique passwords for every account while you only have to remember one password. Tied to that (h/t to Andrew Ducker for this and the next link) is an interesting recommendation from the UK government to not require users to change passwords so often. Andrew also found an interesting discussion about what happens if you treat password recovery question answers like passwords (also known as: Why did you name your dog aftoNfAyougHTEn?). Lastly, there’s an interesting blog post from LastPass on how they notify you if your email ever shows up in a password breech database.
Firefox. It used to be that the battle was Netscape vs. IE. Nowadays, Google Chrome is the King, but it might be too power-hungry. Here are two articles on Firefox. The first explores how to enable multi-process on Firefox 54+ if it isn’t already enabled. The second gives a series of reasons why one should switch to Firefox.
Navigation Wars. Here’s an interesting piece that compares and contrasts the main navigation apps: Google Maps, Waze, and Applie Maps. Of course, I just prefer to use real maps.
Genealogy. For years, my genealogy program of choice has been Rootsmagic, the successor to Parson’s Family Tree Maker. They just added support for integration with Ancestry.Com.

===> Click Here To Comment <==
(Click Here to Comment)

This has been a busy busy week, and I haven’t had a chance to work on clearing out the news chum until now. This first collection is all computer related:

Going Phishing. Hopefully, you’re all cyber-aware. You know not to trust links in email you receive. You’ve been trained to look at where a URL goes before you click on it. You know not to click on links in email; you’ll copy the link and paste it into your browser bar. You know not to trust sites that aren’t the well-known version. But https://аррӏе.com is safe, right? Right? RIGHT? Actually, no. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A (а), Er (р), Er (р), Palochka (ӏ), Ie (е). The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not. This is what is called a homograph attack. It is something that can fool the best people, even if you hover over and check the link before browsing — unless you’re using IE or Edge or Safari. Ars Technica has even more information, but the short and skinny is: If you use Chrome, make sure you’re at Chrome 58 or later; if you use Firefox, enter “about:config” in the address bar, agree to the displayed warning, and then enter “punycode” in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word “false” to change it to “true.” From then on, Firefox will display the “dumb ascii” characters and not the deceptive, encoded ones. I’ve done that, and now I see xn--80ak6aa92e.com when I hover over the link.
Secure Coding. I grew up programming in Fortran, PL/I, Algol 68, RSTS/E Basic, and C. Except for perhaps Fortran and C, the rest are mostly dead. Today, kids program in C++ and Java — but they aren’t necessarily writing better programs. But following good standards can help. Here’s a link to a discussion on how to do secure coding in C++.
iPod without iTunes. If you are like me (and fewer are), you use your iPod for all your music (and you plan on adding more this Record Store Day). But do you backup your iPod? I do — via iTunes to my M: drive, and I back that up on my X: and W: drives and on a backup iPod. But most don’t — and most abhor iTunes. Here’s how to backup your iPod without using iTunes. I’ll not that I’ve used copytrans in the past (especially before I just kept everything in iTunes), and I’d recommend it.
Never Too Late. As I’m typing this, iTunes is playing “Never Too Late” (to tell the Truth) from Scottsboro Boys. If you’re like me, and like to tell the truth, you’ll be happy to know that Snopes is now embeddable. Here’s an example of an embedded article:
Decluttering Apps. If you’re like us, you need to declutter. The NY Times recently had a review of a number of apps that will help you do just that.
Pushy Microsoft. Microsoft is continuing to push people to subscribe to Office 365. The latest is restricting the ability to use Skype for Business and One-Drive if you are using a Microsoft Office Standalone Office product. You’ll see more and more products insisting on the subscription model: Adobe, Quicken, Microsoft, ….

===> Click Here To Comment <==
(Click Here to Comment)

Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:

NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.
Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows. Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.
Encryption and Protection. Protection is good. Just ask porn site Pornhub, home to things like thumbzilla and youporn. They’ve gone to always on encryption, meaning that although your ISP knows you’re going to pornhub, they don’t know what you’re looking at. Others are turning to VPNs, and here’s a good summary of how to use one. Lastly, for those worried about your ISP seeing where you go, one thing you should do is not use the ISP’s DNS. I use openDNS: 208.67.222.222 and 208.67.220.220.
Verizon and Spyware. Note that if you use Verizon Wireless, they may be pre-installing spyware on your phone.
JavaScript Popups. Google is making some changes to eliminate those popup dialogs that don’t let you leave. Such popups are occasionally useful as alerts, but their fix sounds reasonable.
Congrats to North Hollywood High. They won a national cybersecurity competition. Disclosure: My employer helped sponsor the team, although I was not involved.
Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.

===> Click Here To Comment <==
(Click Here to Comment)

Well, I like to think I fought the good fight. I mean, I’m an old fart. Old habits die hard, and for the longest time I just kept using the term I was used to, even though it was politically incorrect. After all, I held on to other ideas that I believed were morally superior, only to watch them get discredited by the new-think, by people that didn’t know what was right was right, and what was wrong was wrong.

Eventually, though, I caved. I started using the updated politically correct term. People no longer looked at me funny, they no longer made fun of the way that I talk. As for my discredited ideas, well, I kept them to myself, lest I be made fun of. After all, in today’s world, you have to use the right terms and speak the right way and think the right things.

Right?

But then, of course, a new term came in for what I previously knew. I resisted, because resistance is good. After all, the new term was, to put it bluntly, stupid. It was idiotic. It didn’t refer to what they said it referred. But I forgot my Star Trek. Resistance is futile.

OK, “cyber“. You win. I mean, HelpNet even says as much.

I grew up in an era when it was “Computer Security” and COMPUSEC, when we believed we could write multi-level secure systems that provided high assurance. What did we get for our efforts? perl, and a High Assurance Brake Job.

Then it became “Information Assurance” and “Information Security“. A1 systems? Sorry, but A1 was reserved for steak. Multi-level systems? They were for special uses; no one would write a general purpose MLS operating system. Formal Methods? Never in your wildest dreams — that’s Gypsy talk. Ina know about you, but I need some Jo.

But now? We have Cybersecurity and Cyber and Trustworthiness. We’ve lost the war. Here’s what HelpNet has to say:

We have lost the cyber war. No, not that cyber war. Maybe war of words is a better way to put it. Whether we like it or not, cyber has become the default way for everyone else to talk about what we do.

[…]

It’s tempting to take the moral high ground and refuse to engage with cyber. Instead, we could choose to refer only to information security because we believe it accurately reflects both physical documents as well as digital assets, while giving importance to each one.

It’s fair to say that some of the industry’s suspicion about cyber comes from the fact that it’s broad enough to cover the charlatans in the industry who think there’s a buck to be made by scaring people into stocking up on silver bullets instead of informing them in a responsible way about how security can help them to do business better.

[…]

But if you open a dictionary, you’ll find cybersecurity is the only term of its kind. One survey ranked information security as the least popular term among the general public, even lower than e-security.

e-Security? Well, at least I can be thankful that term didn’t win.

e-Security? Sheeesh.

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1906056.html

If you’ve been following the technical news the last few days, I’m sure you’ve seen the articles about the vulnerabilities discovered in Lastpass (a popular password manager, and one that I use). You may have even seen people complaining that Lastpass was slow to fix vulnerabilities and that one shouldn’t use browser extensions and such. To me (someone who works in cybersecurity), this demonstrates yet again that most people have no idea at all how to assess risk.

This is a great example of this. The vulnerabilities announced above depend on visiting a malicious website. Think about the websites you visit on any given day. The vast majority are probably from some small set of the same sites: social media, news sites, banks, well-known shopping sites, perhaps well-known games. All with low odds of being malicious. Your only exposure might be if you click on an ad (most of us don’t do that) or click on an unknown link in an email (your mother taught you better). So, for the vast majority of people, the odds of going to a malicious website that has a newly released vulnerability that targets a specific password manager is low. Although you may see FUD (fear, uncertainty, distrust) otherwise, such as this statement on the Lastpass forums:

You mentioned exposure. There is always the possibility that someone discovered the bug previously, harvested the information and is sitting on it. Due to the nature of LastPass the level of the compromise is greater than any other tool or device as it would provide information to all passwords (as I understand it), not merely a matter of changing the password to your email or facebook account but could consist of updating 100’s of passwords. That 2FA appears to have been side stepped by this compromise is a large worry.

(2FA refers to two-factor authentication). Let’s assume, as this author did, that someone discovered the bug previously, harvested the info, and is sitting on it. Exploitation still requires visiting a malicious website, and it having a targeted attack in place. From the Lastpass blog on the subject:

To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

Based on this description, they wouldn’t even be obtaining all passwords. They would have to do so one at a time. If you practice good security hygiene and enable 2FA whereever you can (not just Lastpass), even if you did visit a malicious website, and even if they had a targeted attack, and even if they guessed one account right, 2FA would defeat them on that account, or you would have noticed something. In other words, low odds of it being exploited.

As for the time to correct the problem, Lastpass had updated extensions in place (which auto-update) within 24 hours. The researcher that identified the vulnerability even acknowledged as much in this updated article (scroll to the bottom). We’ve gotten used to reported Windows vulnerabilities — which might be in the wild — being corrected in a month if we’re lucky. Similarly for Flash vulnerabilities. Both see much greater use, and much greater exposure. Here you had reasonably rapid correction of a bug.

Tavis Ormandy @taviso : Two more LastPass bugs fixed today https://bugs.chromium.org/p/project-zero/issues/detail?id=1188 … and https://bugs.chromium.org/p/project-zero/issues/detail?id=1217 …. Very quick response from LastPass, < 24hr.

Tavis Ormandy @taviso : Very impressed with how fast @LastPass responds to vulnerability reports. If only all vendors were this responsive

Lastly, there are folks out there that believe software should be bug-free. Programmers believe that as well, but recognize it is an impossibility. Turing Award Winner C.A.R. Hoare said it best:

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. It demands the same skill, devotion, insight, and even inspiration as the discovery of the simple physical laws which underlie the complex phenomena of nature.

Dahl, Dykstra, and Hoare, back in 1972, also noted that provably bug-free software is impossible: “Program testing can be used to show the presence of bugs, but never to show their absence.” We should expect our software to continue to have bugs, perhaps becoming more esoteric and harder to exploit as time goes on, but there none-the-less. All we can ask then is rapid patching.

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1904638.html

Amongst the political and transitional news chum I’ve been collecting of late, there are a number of articles that are more informational — that is, they provide some really useful tidbits and insights. I’d like to share them with you:

Increasing Battery Life. Frustrated with the battery life on your Android phone? Here’s how to make it better.
Film Projection. Here’s an interesting article on how film projection got so complicated, and how to find the best projection of what you want to see.
Stripped Screws. We’ve all done it — stripped the top of a screw. Here’s how to remove a stripped screw.
Your Mail. As you probably know, the USPS scans every envelope (outside only, so they say). They are modifying their app so you can opt in to seeing what mail you’ll be getting before it is delivered.
Smart Meters. It turns out that smart meters are not so smart after all — they can get confused by line noise and overbill you. Here are the details.
Ransomware. We’ve all heard about it; we might not know what to do about it. Here’s a good guide to ransomware and how to deal with it.
Facebook Quizzes. Here’s an article that states something I’ve been saying for years: those Facebook quizzes that go around may just be a front to steal information, which is then later used to phish you or impersonate you.
Autoplay Audio/Video. (ETA: Here’s an article on how to stop websites from autoplaying audio and video)

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1902615.html

Password. The security mechanism we love to hate. Or hate to love. Or grudgingly tolerate. In any case, if you use passwords, you know you are encourage to (a) enable dual factor authentication whenever and where ever possible; (b) use the strongest passwords possible; and (c) use a unique password on every site. For (b) and (c), the easiest way to do this is to use a password manager (I use Lastpass), and have it generate strong passwords for sites (I have it generate long pronounceable passwords, and then modify them with digits and special characters). That still, of course, means you need a strong password for the password manager.

Many years ago, in the days of Dockmaster, there was a generator that would generate strong, prounceable passwords. For a few years I used those, then I went to grabbing words from various places and combining them to create master passwords. Yesterday, I found another solution. Here is a site that generates nonsense words based on a frequency list of phonemes as they occur in legitimate English words. You should be able to get strong master passwords by combining words and making permutations to add special characters, digits, capitalization, etc.

Here is an example of some generated words: minating ocrates exishering hophish diuraggramely tilized middly apissong moratierencess antinumeted fances vaultanewns gunfins ineake snaphypong misplake quarout hightfulus ansprubblet midweir objecta steton lishep ratinessy mententes.

Hopefully, you’ll find this useful.

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1895726.html

This is a quickie collection of news chum items related to security that have caught my eye:

Weaponized Narratives. I did a whole separate blog entry on this, but I wanted to highlight the original article again in light of the emergence of “alternate facts”. Remember: A weaponized narrative “seeks to undermine an opponent’s civilization, identity, and will by generating complexity, confusion, and political and social schisms. It can be used tactically, as part of explicit military or geopolitical conflict; or strategically, as a way to reduce, neutralize, and defeat a civilization, state, or organization. Done well, it limits or even eliminates the need for armed force to achieve political and military aims.” Alternative facts? Excuuuuuuuse me. They are yet another weaponized narrative.
Ransomware. eWeek had an interesting article on some free software that claims to help fight off ransomware. This software is called RansomFree, from security company Cybereason. Once it’s installed (windows-only), it does three things. First it can detect the ransomware malware when it arrives on a computer if it has a signature it recognizes. But because of ransomware families rapidly evolve, it also watches the activity of the ransomware looking for attempts to encrypt files. Finally it deceives the ransomware into thinking its working, when in reality all that it’s doing is operating in a secure honey pot of a container. Think about that last point for a moment: a ransomware honeypot. Cool.
Infrastructure Security. A number of recent incidents in Las Vegas highlighted the Strip’s vulnerability in terms of infrastructure. In November, Paris Las Vegas was evacuated after an errant drilling severed its main power line; customers were not cleared to return for nearly a day. Shortly before New Year’s Eve, an unfortunate series of events that began with an overflowing sink sparked an outage that darkened the Rio’s Masquerade Tower (the tall one). The tower wasn’t fully reopened for a week, straddling both the New Year’s holiday and the start of CES, two peak occupancy periods. Earlier this month, Palace Station fell victim to an interruption in Nevada Power service that darkened the property for about 90 minutes. A similar outage had affected power at Palace Station—also for 90 minutes—in July. The MGM/New York-New York outage this month, reportedly caused by a windstorm blowing debris into a substation, lasted just over an hour. These all demonstrate inadequate contingency planning, or more important, resiliency, in the design of the buildings.
Phishing Attacks. There’s a new Gmail phishing attack going around, and it is one that can fool the best users. The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received. After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender. They use the same or similar subject line for the email, to invoke recognition and automatic trust. “You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again,” WordFence CEO Mark Maunder warns. The phishing page is a good copy of Gmail’s login page, and its URL contains the accounts.google.com subdomain, which is enough to fool many into believing that they are on a legitimate Google page. You can take it from there. Even the smartest people, with the right page, will click on an link in an email without examining it. I’m sure you’ve done it; I know I have.
Automotive Security. If you have a relatively new vehicle, you are driving an increasingly sophisticated computer that can be easily attacked. But fear not… or fear more. A consortium of researchers announced the development of a universal, free, and open source framework to protect wireless software updates in vehicles. The team issued a challenge to security experts everywhere to try to find vulnerabilities before it is adopted by the automotive industry.
Password / Form Security. Passwords are often stored in places you least expect, or obscure places that you do expect because you stored them there. One way around that mess is to use a good password manager. But you need to remember to get rid of the passwords stored outside the manager when you do. Did you? Further, that form completion can also get you into trouble by completing saved personal information into fields you don’t expect. Again: use a password manager with form completion.

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1888430.html

As you have probably figured out by now, I accumulate articles of interest as I wander the web, and periodically collect them into themed articles.Today is no exception, and our topic for today is cybersecurity — specifically, whether anyone is safe online (or is it just an illusion), and how to really make the situation better.

Foreign Actors. In recent weeks, a big question has been whether Russia hacked the US — particularly, the DNC and RNC. Donald Trump, in his news conference today, finally admitted that it was likely Russia did, but that other countries could as well. What is the basis for the belief that Russia was behind things? Brian Krebs, in an article written before the CIA report was released, has a very good analysis. Krebs notes, “It probably doesn’t matter how many indicators of compromise and digital fingerprints the Obama administration releases on this incident: Chances are decent that if you asked a panel of security experts a year from now whether the march of time and additional data points released or leaked in the interim have influenced their opinion, you’ll find them just as evenly divided as they are today.” This is because providing strong attribution is difficult, short of your hacker being stupid, just because of the nature of Internet communications. The article points out that there are specific breadcrumbs that lead to the conclusion, and notes why the public has become skeptical. Of everything. I suggest you read that analysis, and then think about it in light of the BBC disclosure that there are unconfirmed reports that Russia has something on Trump. Ask yourself: If the Russians hacked the DNC, why did they want Trump to win (this is not to say they manipulated the election to do so)? Could it be that they didn’t need to worry about him for other reasons?
Data Breaches. Brian also has a really good article on data breeches, and in particular, some immutable truths about such breaches. He explains them in more detail in the article, but here they are in a nutshell: “(•) If you connect it to the Internet, someone will try to hack it. (•) If what you put on the Internet has value, someone will invest time and effort to steal it. (•) Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it. (•) The price he secures for it will almost certainly be a tiny slice of its true worth to the victim. (•) Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.” First, think about this with respect to the above. Both the DNC and RNC had servers on the Internet. Were they hacked? Most certainly. What was that information worth? Ask Hillary Clinton. Now, you deal with banks and businesses that put your information on the Internet. Now think about the truisms above. Which organizations should you deal with? How much do they value your information?
Online Shopping. Dovetailing with all of this is an article from my web hosting service, Webhost, on what to be aware of when you shop online. They, too, go into a bit of detail, but their tips boil down to: (•) Shop online at home (or on a secure connection); (•) Make sure you have text, email, and/or phone security alerts set up with your financial institutions; (•) Always look for HTTPS when shopping; (•) If you’re shopping through a retailer’s mobile app, make sure it is an official version with a reputable company or developer behind it; (•) Use the ‘too good to be true’ rule and trust your gut. I’d add to this the adage to stay in a well-lit well populated part of the Internet. By that I mean: use companies that have a reputation to uphold — they are more likely to do things right.
Solving the Problem. The underlying problem for all of the above is that we are using a system that was never meant to be secure. That’s right: the basic and original protocols didn’t think about security because they believed everyone was trustworthy. The corollary to this is: if you want a secure system, you must engineer the security in from the start. Related to this, NIST has just announce a system security engineering website, based on their work with NIST SP 800-160. I’ve been doing a lot of close work with 800-160, and am working on gaining a deep understanding on it, and well as how all of the related processes (assessment, acquisition, and lifecycle) can work together. But 800-160 is a good start.

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1885040.html

Well, sorry to say (from my point of view), but it looks like Donald Trump has won the electoral college vote. We won’t know for sure until the votes are counted by the House in January, but I’m sure that election won’t be hacked.

Yup, sure.

Unlike, say, how the election that got us Trump was hacked. We may never know whether what the Russians did was sufficient to change votes, but we know how they did it, and some of the ways the influence occured. So, let’s see if you can be smarter than a Democrat. Note that I’m not saying “Democrats” in general, but some specific Democrats in Hillary’s organization.

How did they basically do it? Social engineering. Read the New York Times account of the hack. Podesta was phished, and the starting place was a purported message from Google indicating an account had been hacked, and a password needed to be changed. That, combined with a warning message that mistyped “illegitimate” as “legitimate”, and the damage was done.

See, what people forget is that the weakest link in the security chain is the human link. It is incredibly easy to do a social engineering attack. Our nature is such that we want to be helpful, and we fall for it. Here’s an example: During our recent security conference, one of the banquet staff found a USB drive that someone left behind, and he asked us to return it to its owner. We promptly tossed it. What would you do? Many people would put it in their computer to find the owner — and potentially be hacked. Or they would just announce it and hand it to the owner, letting them be hacked. One never knows what changes were made to that drive when it was out of your sight (this, by the way, is a good reason to use encrypted USB drives).

What about other attacks? Those ads you see on webpages? They can insert malware into your router without you knowing it. They could bring in ransomware? My malware dectector has frequently intercepted malicious ads on non-malicious sites. Sites you go to every day. These sites often don’t have control of their ad networks.

By the way, you do have regular backups, right? Not always connected to your computer? Not in the cloud? Could you survive the sudden loss of your data?

As they say, fool me once, shame on you. Fool me twice, and…. well, we’ve just seen the fool get elected. Let’s not be fooled again.

P.S.: And what should you do about the fool? The answer is not to use your computer to sign a petition or send an email. The answer is to take time and write your congresscritters and senators, and as many other congressional people as you can, a hand-written letter. Legibly. This shows that the issue is important for you to take the time. Send it to their local office, or call. Insist that Congress hold Trump to the exact same standards of ethics, no conflicts of interest, and highest quality of minimally-partisan appointments to which they held Obama. Different Presidents should not have different standards. And, just like with Obama and Bill Clinton, they should investigate the littlest impropriety or questionable action by the President or any member of his administration. All Presidents and his staff should be held to the same standards.

PS: And if you don’t hold with that position, then please explain why Trump should not be held to the same standard. Party shouldn’t make a difference in how we expect the President to behave, so you must have some other reason. Our President should be the role model for the country, someone that our children can look up to see how a leader behaves.

Share/Bookmark

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1878966.html

userpic=cardboard-safe A number of people I know refuse to vote for Hillary because they believe she mishandled classified information, and that the FBI was wrong in not prosecuting her. I’d like to convince them otherwise. So let’s do some reasoning, shall we?

We are talking about email here. What is a unique characteristic of email? It has a sender and a receiver. Suppose you are friends with Jared Fogle, the Subway guy. He decides to send you an email with one of his favorite pictures of children attached. It arrives in your server, unsolicited. Are you guilty of possession of child pornography? Even if you delete it when you receive it? It’s a serious question. I was once at a security conference where someone said one of the best attacks in the world is to go to a conference room computer, load child porn from a thumb drive onto that computer, and then delete it… and then report the person for possessing child porn. Look, he even knew he was guilty when he deleted it, right?

Wrong. The criminal is the person that loaded the illegal material, not the recipient.

The same rules apply with classified information. If someone emails you a classified document over an unclassified system, the person who is in big trouble is the person who originated that document (i.e., took content they knew was classified and entered it into an unclassified system) in the first place. The person who receives it is suppose to recognize and report it (although that doesn’t always happen), and their computer is appropriately cleaned (often with only a minor warning to them, because it wasn’t their fault).

Think about what you know about Hillary’s server. The messages that were found were sent to her; she didn’t originate them. At worst (and this is a supposition), she inadvertently forwarded them because they were not marked properly (plus who would send her classified info on a public computer).

But, you say, people have been prosecuted for having classified information on unclassified computers. Yup. But look at those cases closely: they put that information on those systems, often with the intent to exfiltrate it to an unauthorized party. In fact, espionage laws requires that intent to be present, and provably present. I have not seen any articles that demonstrated that Secretary Clinton took a document she knew was classified, put it on her email server, and sent it to someone else with the explicit intent to exfiltrate it. That is why the FBI did not prosecute her, even though there was classified information found.

But, you say, she sent messages with classified information. Other than possibly inadvertent forwarding, my understanding of those incidents is that the information was not classified at the time it was sent; it was classified sometime later. In these cases, what matters is the classification at the time it was sent. Subsequent classification does not expose anything because there is nothing that indicates the original message was confirmed as classified information. It has the same status of classified information published by Wikileaks in the New York Times — if you don’t know it is classified, it has no authority.

Again, there is no evidence (and remember: one is innocent until proven guilty) that Secretary Clinton took information from a marked, classified document, and then entered that information onto her server with the intent to exfiltrate it. That is the crime.

If your sole reason for voting against Hillary is that you believe she mishandled classified information, then I suggest you change your mind. Secretary Clinton — as demonstrated by her debate behavior — is some that always thinks before she speaks and is always prepared. She knows what is classified, and does not discuss it publicly (unlike Donald Trump, who has disclosed some of his intelligence briefings). She is cautious in how she words things and says things; again, a behavior we have not seen in Mr. Trump). Secretary Clinton cannot control what people send her, and whether they mark it correctly. Her only infraction here is not recognizing mis-marked information and reporting it (for she has already acknowledged the mistake of having the private server in the first place, and indicated she would not do it again… and at the time she did it, private servers were permitted for unclassified information).

ETA 10/25/16: My friend Rick Smith over at Cryptosmith has a great article on this subject. Reading it, another cybersecurity colleague, Dave Bell, wrote: “This is a nice exegesis of the laws and regulations surrounding classified information in general and classified email in particular. Lapses in following Department rules on disclosure are not ILLEGAL (in the sense of violating laws) unless the information is covered by the Espionage Act (circa WWI) or the Atomic Energy Act of 1946. The article points to a more detailed, lawyerly article.”

Lastly, you’ll say, she deleted all this email. That make her guilty of something, right? Nope. In America, absence of evidence does not imply guilt. The courts require that guilt be proven beyond a reasonable doubt, and there is a presumption of innocence. Just as Mr. Trump is not guilty of all the sexual assault claims until he has his day in court, and the actual evidence presented and a jury convinced, Secretary Clinton is innocent until there is actual evidence of a crime with a conviction. One cannot have the standards be different for some citizens.

So, let’s drop the whole canard about Hillary’s emails. It is up there in the meaningless category with the canard that she is responsible for her husband’s infidelities. Ah, but you say, if that’s a canard than Trump’s behavior is a canard. Potentially, you’re right. Nothing has been proven yet in court. He is only accused, and not proven guilty. He’s as pure as Bill Cosby. Yet words do demonstrate attitude, and he is on record for what he has said, and has not (a) apologized for the words, and (b) changed the behavior. Contrast this with Bill Clinton — there has been no evidence that his behavior has been repeated since the incidents in the 1990s.

Share/Bookmark

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1868114.html

round challah userpic It’s Rosh Hashanah afternoon (L’Shana Tovah to all), and I’m exhausted from the morning. Yet I have a bunch of news chum to post. Let’s see if we can braid it into something sweet and circular, coming back by the end to where I started. This time, we’ll just give headlines and a few comments.

The O shaped iPod? On Rosh Hashanah, you dip Apples in Honey, so where else to start but with a circular Apple product. This article describes a new circular design for the iPod Shuffle that is quite cool, if a Shuffle has enough storage for your needs.
The Taxonomy of Tech Holdouts. As we’re talking about iPods, here are the nine archetypes of planned non-obsolecence, from the Anachronist to the Careful Curator. I think I’m the latter.
Navy scuttles sailors’ enlisted rating titles in huge career shake-up. Moving from holdouts to non-holdouts. The Navy is holding on to specialist ratings no more. Effective immediately, sailors will no longer be identified by their job title, say, Fire Controlman 1st Class Joe Sailor. Instead, that would be Petty Officer 1st Class Joe Sailor.
New college at Onizuka Station pays homage to the ‘Blue Cube’. Moving from the Navy to their sister service, the Air Force. Those in the Bay Area might remember the blue cube, the former Onizuka AFS. It has been converted into a local college, but still plays homage to its history. The walkways leading from the parking lot to the campus are speckled with flecks of blue paint harvested from the cube. Once inside, there is the Onizuka Cafe for hungry students and the Satellite Lounge next door for relaxation and study. Two murals that previously had been inside the cube are now hung in campus hallways. One features the Challenger shuttle with a memorial poem. The other is signed by many former employees of the Onizuka Air Force Station and coincidentally features a large owl—Foothill’s mascot—with a lightning bolt in its talons.
An Abandoned Hospital in West Adams Has Been Filled With Fine Art. Moving from an Abandoned Air Station to an Abandoned Hospital, although this one is still abandoned. The LA Metropolitan Hospital was one of the first black hospitals, but it close a few years ago and is pending redevelopment. However, for the next month, there is an interesting art exhibit in the abandoned hospital.
Texas prisons ban books by Langston Hughes and Bob Dole – but ‘Mein Kampf’ is OK. A hospital is a pubic service building, and so is a prison. So here’s an interesting prison story: prisons in Texas have banned books by Bob Dole, Harriet Beecher Stowe or Sojourner Truth. But inmates are more than welcome to dig into Adolf Hitler’s “Mein Kampf” or David Duke’s “My Awakening.” The rationale: they ban offensive language or violence or sex, but not offensive ideas.
Palestinians’ Abbas seeks British apology for 1917 Jewish homeland declaration. Moving from Hitler to another group that doesn’t like the Jews: the Palestinians. According to the Palestinian President, Britain should apologize for its 1917 declaration endorsing the founding of a Jewish homeland in Palestine and should recognize Palestine as a state.
Your Samsung washing machine might be about to explode. Moving from explosive ideas to explosive washers. The problem it appears, is a defective support rod that is causing washer tubs to separate, potentially launching wires, nuts and other parts. Boom!
The one step you shouldn’t skip when cooking with your cast iron pan. Moving from the Laundry Room to the kitchen, here are some tips regarding use of cast iron pans.
Fat Flora? Gut Bacteria Differ in Obese Kids. What do you cook in a cast iron pan? Food. And what happens if you eat too much food? You get fat. Researchers have found that obese children have a different population of microorganisms living in their intestinal tracts, compared with lean children. These microorganisms appear to accelerate the conversion of carbohydrates into fat, which then accumulates throughout the body, the researchers said.
Attack of the plastic eaters: Can mushrooms, bacteria and mealworms save the planet from pollution? Speaking of bacteria, it runs out they may be the solution to accumulating plastic. As it turns out, nature might offer us the solution to our man-made problems. Scientists around the world are harnessing — in test tubes, under glass domes, and within large bioreactors — the power of living things that can digest plastic without suffering harm.
Inside Arizona’s Pump Skimmer Scourge. Of course, if you’re in Arizona, you should keep a close eye on your plastic — not due to bacteria, but criminals that are doing a lot of skimming of gas and other credit cards.
Why the Hallmark Card Company Owns Thousands of Priceless Artworks. Plastic, of course, refers to a credit card, and who is one of the largest purveyors of greeting cards? Hallmark. Here’s the history of Hallmark, and why the company owns lot of priceless art.
UC Berkeley mascot Oski celebrates 75th birthday. Of course, you send greeting cards on an anniversary, and it just so happens that Oski, the mascot of UC Berkeley, is celebrating an anniversary — his birthday.
Horses can communicate with people using symbols. Oski is a bear, and another type of animal is a horse. It turns out that twenty three horses learned to tell trainers if they wanted to wear a blanket or not. Subjects were shown three symbols: a horizontal bar to say “I want a blanket”, a blank square for “No change”, and a vertical bar for “I don’t need a blanket”. They learned the meanings in a day or two and using them to convey if they were too warm or too cold, building the case for self-awareness.

Of course, a square is a simple polygon, and if you keep adding sides to a polygon infinitely, you end up with a circle. An a circle, of course, is the shape of the new iPod Shuffle, which permit us to spiral back to where this post began. Of course, circles and spirals are the shape of a round Challah, which we dip in honey as we wish EVERYONE a happy and healthy new year. May you all be written and inscribed for the happiest of years.

Share/Bookmark

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1863247.html

userpic=don-martin Although you’re probably still wondering why an article written in Spring 1995 seems so eerily accurate about Donald Trump today, I’d like to give you some more things that you probably haven’t thought about:

Gases and the Body. You’ve probably become more and more aware of the microbiome in our bodies. You probably haven’t given a lot of thought to the gasses in our bodies, except when they escape from ends of the digestive track. However, a new study shows how the gases swirling inside our bodies can power our brains and affect the way we act. Some gaseous neurotransmitters (or gasotransmitters) are produced by your organs and tissues. Others—such as nitric oxide (NO), carbon monoxide (CO), hydrogen sulfide (H₂S), methane (CH₄), hydrogen (H₂), and ammonia (NH₃)—are the products of fermentation in your gut by microscopic organisms like bacteria. These tiny molecules feed and help regulate your cells and those of the microbes living inside you—complex relationships that can have much larger consequences. An interesting addendum: biological processes can also be harnessed to turn Carbon Dioxide into a fuel.
Drywall. It know, it sounds like something out of Surprisingly Awesome: The exciting history of drywall (gypsum board). Gypsum is noncombustible, and compared to other wall materials, like solid wood and plaster, gypsum boards are much lighter and cheaper. As a result, drywall is popular in homes across the U.S.: According to the Gypsum Association, more than 20 billion square feet of drywall is manufactured each year in North America. It’s the staple of a billion-dollar construction industry that depends on quick demolition and building. It can also be deadly.
Architectural Security. Have you ever closely looked at the architectural characteristics when you are out and about. It turns out that many of them exist to enhance security. “The inside of a building in it of itself can be a security tool,” says Geoff Manaugh, an architecture writer and blogger of BLDGBLOG. “If you don’t think about buildings in terms of security and you don’t think of architecture in terms of burglary, you can really easily overlook these things.”
The Most Cost Effective Pizza. Due to the nature of geometric math, the larger pizza is almost always the most cost effective pizza. Just remember to refrigerate the leftovers. The math of why bigger pizzas are such a good deal is simple: A pizza is a circle, and the area of a circle increases with the square of the radius.
Embedded Links. Much as you try not to do it, a determined hacker can design a link such that almost anyone will likely click on it. Human traits like curiosity “cannot be patched” against these kinds of vulnerabilities, says one leading computer science researcher. And so, you can be the smartest security buff in the world, yet researchers could probably still trick you into clicking on a dangerous link.

Share/Bookmark

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1853184.html

userpic=levys I know my last few posts have been political — it is just that my concerns over the Republican nominee have incited a passion in me that makes me want to ensure his defeat. So a last political note, and then we’ll move on to something different to chew: some news chum about food, medicine, and science.

But first

… to those of you who cannot bring yourself to vote for Hillary because of her character and the character flaws you think you see, please read this article. You’ll learn how you’ve been fed a diet of genetically modified truth, something empty of nutrition and value, and that has spoiled your appetite for something that is actually healthy. Then read this article, and learn why the Clinton that you see in the news is very different than the Clinton those that work with her see, and why those who do work with her are fiercely loyal to her.

… to those who are Republican who still can’t bring themselves to vote for Clinton after seeing the truth — those who deny the truth about Clinton just as you deny climate science and the value of vaccines — then read this post. Learn how, as the DNC and Trump’s behavior has shown, he spits in the face of traditional Republican values, and has in fact ceded the Republican values of patriotism, love of country, belief in the people of this country, belief in the quality of the American military and support for Veterans to the Democratic party. The man is clearly not a Democrat, and does not reflect Republican values, and is not deserving of your support. If you can’t vote for Clinton, then vote for Gary Johnson or abstain for voting for President. Don’t vote for a man that clearly does not deserve to be the leader of your Republican party. (I note I say this as a Democrat, but a Democrat who believes we need a sane and valid Republican party, because it is the diversity of sane political views that leads to the compromises that makes this country strong).

And now, on to something different to chew upon:

Bell Peppers. Just as I can’t stomach Donald Trump, I cannot stomach bell peppers. Here’s an interesting analysis of the chemical difference between green, yellow, and red bell peppers.
Dealing with Tinnitus. The din of the election, and the constant irritant of the statements of Donald Trump, can be silenced by turning off the news and Facebook. Not so with the constant din of Tinnitus (which I deal with). Here’s an interesting article on some therapy to deal with Tinnitus.
Belly Fat. Trump is a fat head, something loaded with empty calories and empty promises. You know what you can do to get rid of that fat. However, one of the problems I’m dealing with — and one which neither candidate addresses — is belly fat. Here’s a good article on the best way to get rid of belly fat.
Wheat Sensitivity. Listening to the news and watching the behavior of Trump can make you sick to your stomach. So can eating wheat. It now appears that science has confirmed there are wheat sensitivities independent of Celiac disease.
Risky Behavior. I’ve been pointing out for the last few days how risky it is to vote for Trump. It is also risky to answer quizzes on Facebook. They collect far too much data. For example, just today I saw a meme going around asking people to share where they were born. How many of you have seen a security question asking where the hospital you were born in was located? Be careful what you answer.
Cybersecurity Risks. We all know how Trump has invited a foreign government to interfere in our elections by hacking into his opponent’s parties servers. What else could they hack into? Voting machines? 3-D printers? The latter is a real risk, for there are tons of risks that we can’t see in 3-D printing.
Planned Obsolescense. Donald Trump has recently taken to discounting the opinions of respected generals and Gold Star parents. He would probably encourage the business sense of another famous general, General Electric, who specifically designed light bulbs to burn out. This turns out to be a big deal for LED bulbs, who have lifetimes measured in, well, human lifetimes. But don’t worry. LED manufacturers are now designing LEDs to intentionally fail early.

Hmmm, I guess I do have politics on my mind after all.

Share/Bookmark

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1850893.html

userpic=mad-scientist I’m still working on clearing out the links that accumulated during the Hollywood Fringe Festival (FB), with a goal of getting them all done before you take off for the Fourth of July weekend. I may already be too late. Here’s a chunk that are loosely related to science, medicine, and technology:

Medicine Chum

Understanding Migraines. One of the ills that plague me are migraines (which, luckily for me, are mild compared to what others get). No one knows precisely what triggers migraines, or how the various abortives work. Some think it is related to nerves in the head, and some think it is related to blood flow. A new genome-wide association study published in Nature Genetics suggests that a migraine may primarily stem from problems with the blood supply system. This could lead to new ways to treat migraines.
More Than Human. We’re discovering more and more than the human organism is much more than the human organism — that is, much of what contributes to our health or lack thereof is our microbiome. Further, our overfocus on being “germ-free” has significantly hurt our biome, and may be the single largest contributor to our various health maladies — including obesity. Here’s another biome story — this time, the involvement of the biome with what has been called Chronic Fatigue Syndrome. Specifcally, researchers say they’ve found biological markers of the illness in the blood and gut bacteria of people with systemic exertional intolerance disease (SEID) (a/k/a CFS). Their results were published in the journal Microbiome. In this study, found clear differences between the blood and guts of healthy versus sick people. Compared to healthy controls, people with ME/CFS had weaker and less diverse bacterial ecosystems in their guts, as well as higher levels of immune inflammation in their blood. These differences were so clear that the researchers were able to spot nearly 83 percent of the time which participants had ME/CFS just by looking at their bacterial and immune response results.
Being Like Everyone Else. If everyone else did something with no proven medical benefit for medical reasons (like, for example, overusing bacterial soap), would you do it? A study that is unsurprisingly proving very viral on social networks is highlighting one such thing: most women these days are “preparing for the Olympics” for claimed medical benefit, when there is none (where “preparing for the Olympics” == “going Brazilian” == removing hair on their … == insert your own euphemism here). My attitude, for whatever it is worth, is that women are their most beautiful when they look like women — not airbrushed models or pre-pubescent girls — but women – with imperfections and hair and some parts large and some parts small and some parts inbetween. While we’re on that subject (and while we’re clearing links), here’s an article I found on two-piece suits for large chested ladies. What bothered me about that article is that the chest was the only part that was large. Why weren’t there two-pieces for ladies who happened to be large in other places as well? As it is, an article like that is just perpetuating body dismorphic ideas, just like shaving everywhere does.
How Old is Your Body? I’m 56. Recently, I’ve been wondering if there is any part of my body that has been with me all 56 years. So I was quite pleased to see an article come across my feeds that asked the same question: How old is your body? What component of your body has been around the longest time? For example: brand new fingernails every six months, 2-7 years for the hair on our heads, new skeletal muscles every 15 years. But those neurons in your brain? Never replaced.

Technology Chum

Automotive Security. We were having a discussion on our van this morning about car security, specifically how some thieves are collecting automotive RFID signals, and then going around parking lots broadcasting them, unlocking cars, and stealing stuff inside. I had noted how cars are generally better protected against theft, and how entertainment units are less likely to be stolen than radios of old. Another rider pointed out, however, that the keyless ignition cars are easier to steal. In general, our cars are weak in terms of security — so it is good at the Senator is pushing to increase cybersecurity protections in cars.
LED Streetlight Dangers. More and more cities are going to LED streetlights because they use less energy and are brighter. Now the AMA has come out with some cautions on LED lighting: cool it and dim it. The AMA’s statement recommends that outdoor lighting at night, particularly street lighting, should have a color temperature of no greater than 3000 Kelvin (K). Color temperature (CT) is a measure of the spectral content of light from a source; how much blue, green, yellow and red there is in it. A higher CT rating generally means greater blue content, and the whiter the light appears. The new “white” LED street lighting which is rapidly being retrofitted in cities throughout the country has two problems, according to the AMA. The first is discomfort and glare. Because LED light is so concentrated and has high blue content, it can cause severe glare, resulting in pupillary constriction in the eyes. Blue light scatters more in the human eye than the longer wavelengths of yellow and red, and sufficient levels can damage the retina. This can cause problems seeing clearly for safe driving or walking at night. It can also affect our sleep cycles and rhythms (which is why many people recommend using f.lux to turn down the blue on your screens in the evening).
Tweaking Your Facebook Feed. Many of us who came from LJ miss the days of a sequential feed, where you know you could catch up on your friends. Facebook has never been quite the same. But Facebook is now providing some details on how to tweak your feed. First, they’ve disclosed their news feed algorithm, which will now show posts from friends higher up in the feed than posts from Pages like news outlets. Based on these new values, there are now some specific tweaks that you can do to make your newsfeed what you want it to be.

Science Chum

Lift Me Up. You might have heard about the helium shortage. That shortage may be going away, as scientists have discovered new Helium resources, and new ways to extract it. That’s good news, as helium is a vital nobel gas (used in much more than balloons), and there is not an easy way to make more.
Drill Me Down. Scientists also believe they have found new water supplies in the central valley of California, albeit at a deeper depth and with greater salinity. Will this solve California’s drought? I doubt it.

Science People In the News

New Position: Steve Isakowitz. The Aerospace Corporation (my employer) has announced the selection of a new corporate President and soon-to-be CEO: Steve Isakowitz, former President of Virgin Galactic. Iskowitz is also a former CTO of Virgin Galactic. Previously, he held a wide variety of senior engineering, business, and management roles across the private and government sectors, including positions at NASA, the Office of Management and Budget, the Intelligence Community, and the Department of Energy. He replaces Wanda Austin, who has reached the corporate age limit for VPs and above.
Passing: Simon Ramo. Simon Ramo, the “R” in TRW, has passed away. Ramo shaped California aerospace and the space industry through organizations like TRW, and I should note that he is responsible for the company I work at: The Aerospace Corporation is actually an FFRDC spin-off of STL, Space Technology Laboratories, which went on to become TRW.
Passing: Steve Walker. Word came to me Thursday morning of the passing of Steve Walker, one of the seminal people in the field of cybersecurity. The formal obituary and funeral arrangements haven’t been published; I found a bio here. We’ll get something up on the ACSA In Memorium page as soon as we can.

Share/Bookmark

===> Click Here To Comment <==
(Click Here to Comment)

Crossposts: http://cahwyguy.livejournal.com/1846539.html

userpic=cardboard-safe If you hadn’t figured it out by now, I work professionally in the field of cybersecurity. One of the concerns in my field is the question of risk: how to manage it, how much is tolerable for an organization, what can be done to mitigate it. All of the cybersecurity techniques you know are related to the question: virus scanner mitigate the risk of malware; passwords mitigate the risk of unauthorized users; firewalls mitigate the risk of unauthorized systems accessing a network, and so forth.

I’ve been thinking a lot about risk in the aftermath of the tragedy in Orlando, and in particular about the reactions of our presumptive leaders, as well as the initiatives that always start after an event like this. Naturally, I see them all dealing with risk in some ways, and in someways misunderstanding risk.

Donald Trump has blinders on with respect to risk. He clearly sees risk — a lot of risk — in immigrants and terrorists, but is blind to the risk of home-grown terrorism, or risk that comes from easy access to assault weapons. Further, his approach to the risk he sees is to be clearly risk adverse. He has a low risk tolerance, and wants to (if possible) eliminate the risk through closing down immigration and building walls. His approach is impractical and costly, as experience has shown.

Hillary Clinton understands that the risk will be present, and wants to reduce it (understanding that it cannot be eliminated). This is where the call for restricting selected gun sales based on findings from background investigations, and calls for restricting the types of weapons come from. They will not eliminate all the possible terrorist actions on American soil, but they will serve to reduce the risk of those actions.

The mass populace also has difficult understanding the difference between risk mitigation and risk avoidance. There are segments who believe that all guns should be banned. Those folks have blinders on regarding risks: banning guns will not eliminate all gun risk (for there is still the criminal element), but it also ignores non-gun attacks. There are some who believe the more moderated approach of increasing the difficulty to get attack weapons is pointless if attacks are still possible. They are the type that are risk averse, and fail to see the benefit that comes from reducing risk.

With respect to terrorist attacks and home-grown gun attacks, we need to understand that we cannot eliminate them completely. The potential is already there, with existing weapons and the free-flow of ideas that our society permits. That is a risk we must accept. What we can — and must — do, is reduce the risk where we can: this means reducing the ability to buy and sell weaponry that can create massive casualties, increasing our ability to be resilient in the face of attack, and aggressively going after home-grown terrorism and terrorist cells (within our existing legal framework), with increased monitoring of those identified as being sympathetic or involved with those homegrown causes (again, while still remaining in our legal system with respect to monitoring and the rights of US citizens).